Data Processing Agreement

Data Processing Agreement

Between

Cazzaniga & Gaudenzi, a business registered in Italy, operating an e-commerce platform accessible at https://cazzanigaegaudenzi.com (hereinafter referred to as the "Controller")

And

Shopify International Limited, a company registered at 2nd Floor Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland (hereinafter referred to as the "Processor")

Collectively referred to as the "Parties."

1. Definitions

For the purposes of this Agreement, the following terms shall have the meanings ascribed to them below:

1.1 "Agreement" means this Data Processing Agreement, including all Annexes attached hereto.

1.2 "Controller" means Cazzaniga & Gaudenzi, which determines the purposes and means of the processing of Personal Data, as defined under Article 4(7) GDPR.

1.3 "Processor" means the entity identified above that processes Personal Data on behalf of the Controller, as defined under Article 4(8) GDPR.

1.4 "Data Subject" means any identified or identifiable natural person whose Personal Data is processed under this Agreement, as defined under Article 4(1) GDPR. In the context of Cazzaniga & Gaudenzi's e-commerce operations, this includes customers, registered users, newsletter subscribers, and website visitors located in the European Union and the European Economic Area.

1.5 "Personal Data" means any information relating to an identified or identifiable natural person, as defined under Article 4(1) GDPR.

1.6 "Processing" means any operation or set of operations performed on Personal Data, as defined under Article 4(2) GDPR.

1.7 "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, as defined under Article 4(12) GDPR.

1.8 "Sub-processor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller in relation to Personal Data covered by this Agreement.

1.9 "Supervisory Authority" means the Italian data protection authority, the Garante per la protezione dei dati personali (hereinafter "Garante"), as the lead supervisory authority for the Controller, as well as any other competent supervisory authority under Article 55 GDPR.

1.10 "Standard Contractual Clauses" or "SCCs" means the contractual clauses adopted by the European Commission under Article 46(2)(c) GDPR via Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

1.11 "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

2. Purpose and Scope

2.1 This Agreement governs the rights and obligations of the Parties with respect to the processing of Personal Data carried out by the Processor on behalf of Cazzaniga & Gaudenzi in connection with the Controller's e-commerce operations conducted via https://cazzanigaegaudenzi.com.

2.2 This Agreement is entered into pursuant to Article 28(3) GDPR, which requires that processing by a Processor on behalf of a Controller be governed by a binding contract or other legal act setting out the subject matter, duration, nature, purpose, type of Personal Data, and categories of Data Subjects.

2.3 This Agreement supplements and forms part of any existing commercial agreement between the Parties. In the event of any conflict between this Agreement and any other agreement between the Parties concerning data processing matters, this Agreement shall prevail.

2.4 The Processor acknowledges that it acts solely in the capacity of Processor with respect to the Personal Data processed under this Agreement and shall not process such data for any purpose other than those explicitly set out herein.

3. Details of Processing

3.1 Subject Matter

The Processor shall process Personal Data for the purpose of providing services to Cazzaniga & Gaudenzi in connection with the operation of its e-commerce platform, including but not limited to: order management, payment processing, logistics and delivery, customer support, marketing communications, fraud prevention, and website analytics.

3.2 Duration

Processing shall commence on the date this Agreement enters into force and shall continue for the duration of the commercial relationship between the Parties, unless terminated earlier in accordance with Section 13 of this Agreement.

3.3 Nature of Processing

The nature of processing includes collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, and destruction of Personal Data, as necessitated by the services rendered by the Processor to Cazzaniga & Gaudenzi.

3.4 Purpose of Processing

Personal Data shall be processed exclusively for the following purposes:

  • Fulfilment of customer orders placed through https://cazzanigaegaudenzi.com;
  • Processing of payments and management of financial transactions;
  • Management of product returns, refunds, and customer disputes;
  • Delivery and logistics coordination with shipping partners;
  • Provision of customer service and after-sales support;
  • Sending of transactional communications related to purchases;
  • Where applicable and subject to valid consent, sending of promotional and marketing communications;
  • Detection and prevention of fraudulent activities;
  • Website performance monitoring and analytics;
  • Compliance with applicable legal obligations.

3.5 Categories of Personal Data

The Personal Data processed under this Agreement may include:

  • Identification data: full name, username, account credentials;
  • Contact data: email address, telephone number, billing and delivery addresses;
  • Financial data: payment card details (handled via PCI-DSS compliant payment processors), invoice information, transaction history;
  • Behavioural data: browsing history on https://cazzanigaegaudenzi.com, purchase history, product preferences, shopping cart data;
  • Technical data: IP addresses, cookie identifiers, device information, browser type, session data;
  • Communications data: correspondence between Data Subjects and Cazzaniga & Gaudenzi's customer service.

3.6 Categories of Data Subjects

The categories of Data Subjects whose Personal Data may be processed include:

  • Registered account holders on https://cazzanigaegaudenzi.com;
  • Guest purchasers who complete transactions without creating an account;
  • Newsletter and marketing communication subscribers;
  • Visitors to the website whose data is collected via cookies and tracking technologies, subject to the ePrivacy Directive (2002/58/EC) and applicable Italian cookie law requirements;
  • Individuals who contact Cazzaniga & Gaudenzi via customer service channels.

4. Obligations of the Processor

The Processor shall:

4.1 Process only on documented instructions. Process Personal Data only on documented instructions from Cazzaniga & Gaudenzi, unless required to do so by Union law or the law of the Italian Republic to which the Processor is subject, in which case the Processor shall inform the Controller of that legal requirement before processing, unless such law prohibits this on grounds of public interest, in accordance with Article 28(3)(a) GDPR.

4.2 Confidentiality. Ensure that persons authorised to process Personal Data on behalf of Cazzaniga & Gaudenzi have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, in accordance with Article 28(3)(b) GDPR.

4.3 Security measures. Implement and maintain all technical and organisational measures required under Article 32 GDPR, as further detailed in Section 7 of this Agreement, to ensure a level of security appropriate to the risk posed to the rights and freedoms of Data Subjects.

4.4 Sub-processing. Not engage any Sub-processor without prior specific or general written authorisation from Cazzaniga & Gaudenzi, in accordance with Article 28(2) GDPR, and subject to the conditions set out in Section 6 of this Agreement.

4.5 Assistance with Data Subject rights. Taking into account the nature of the processing, assist Cazzaniga & Gaudenzi by implementing appropriate technical and organisational measures, insofar as reasonably possible, to fulfil its obligations to respond to requests from Data Subjects exercising their rights under Chapter III GDPR, including the rights of access (Article 15), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), and objection (Article 21).

4.6 Compliance assistance. Assist Cazzaniga & Gaudenzi in ensuring compliance with the obligations under Articles 32 to 36 GDPR, taking into account the nature of processing and information available to the Processor, including obligations related to security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultation with the Garante.

4.7 Deletion or return of data. At the choice of Cazzaniga & Gaudenzi, delete or return all Personal Data upon termination of the provision of processing services, and delete existing copies unless Union law or Italian national law requires storage of the Personal Data, in accordance with Article 28(3)(g) GDPR.

4.8 Audit and inspection. Make available to Cazzaniga & Gaudenzi all information necessary to demonstrate compliance with the obligations under Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, in accordance with Article 28(3)(h) GDPR. The Processor shall immediately inform Cazzaniga & Gaudenzi if, in its opinion, an instruction infringes the GDPR or other applicable Union or Member State data protection provisions.

4.9 Records of Processing Activities. Maintain written records of all categories of processing activities carried out on behalf of Cazzaniga & Gaudenzi in accordance with Article 30(2) GDPR, and make such records available to the Garante upon request.

4.10 No independent use of data. Not use Personal Data processed under this Agreement for the Processor's own purposes, commercial gain, profiling, or any purpose not authorised in writing by Cazzaniga & Gaudenzi.

5. Obligations of the Controller

Cazzaniga & Gaudenzi shall:

5.1 Ensure that there is a valid legal basis under Article 6 GDPR (and, where applicable, Article 9 GDPR) for all processing activities it instructs the Processor to carry out.

5.2 Provide the Processor with documented instructions for processing that are lawful, clear, and consistent with this Agreement and applicable data protection law.

5.3 Ensure that Data Subjects are provided with appropriate privacy information pursuant to Articles 13 and 14 GDPR via the privacy policy published on https://cazzanigaegaudenzi.com.

5.4 Ensure that all necessary consents, where required under Article 6(1)(a) GDPR or Article 7 GDPR, have been validly obtained from Data Subjects prior to instructing the Processor to carry out consent-based processing activities, including marketing communications.

5.5 Promptly notify the Processor of any instruction it considers may conflict with applicable data protection law, and refrain from issuing unlawful instructions.

5.6 Be responsible for determining the purposes and means of processing and for all decisions relating to Personal Data that fall within the competence of a Controller under the GDPR.

5.7 Cooperate with the Processor in fulfilling obligations under this Agreement and ensure that authorised personnel are available for consultation purposes.

6. Sub-processing

6.1 The Processor shall not engage a Sub-processor without the prior specific or general written authorisation of Cazzaniga & Gaudenzi, in accordance with Article 28(2) GDPR.

6.2 Where the Controller grants general written authorisation, the Processor shall inform Cazzaniga & Gaudenzi of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes within a reasonable period, not less than thirty (30) calendar days of receipt of such notification.

6.3 Where the Processor engages a Sub-processor, it shall impose on that Sub-processor, by way of a written contract, the same data protection obligations as set out in this Agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures, in accordance with Article 28(4) GDPR.

6.4 Where a Sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to Cazzaniga & Gaudenzi for the performance of the Sub-processor's obligations, pursuant to Article 28(4) GDPR.

6.5 The Processor shall make available to Cazzaniga & Gaudenzi, upon request, a list of Sub-processors currently engaged in the processing of Personal Data under this Agreement. The current list of approved Sub-processors is set out in Annex C to this Agreement.

7. Security of Processing

7.1 Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32(1) GDPR.

7.2 Such measures shall include, as appropriate:

  • (a) Pseudonymisation and encryption of Personal Data where technically and operationally feasible;
  • (b) Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  • (c) The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • (d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring security of processing;
  • (e) Access control policies limiting access to Personal Data to authorised personnel on a strict need-to-know basis;
  • (f) Logging and monitoring of access to systems containing Personal Data;
  • (g) Regular security assessments, penetration testing, and vulnerability management;
  • (h) Secure data transmission protocols (TLS/SSL) for all data exchanged with https://cazzanigaegaudenzi.com;
  • (i) Employee training on data protection and information security;
  • (j) Physical security measures protecting infrastructure used to process Personal Data.

7.3 The Processor shall ensure that any natural person acting under its authority who has access to Personal Data does not process such data except on the instructions of Cazzaniga & Gaudenzi, unless required to do so by Union or Italian national law, pursuant to Article 32(4) GDPR.

7.4 The Parties acknowledge that the security requirements applicable to e-commerce operations necessitate particular attention to the security of payment and financial data. Where the Processor handles payment card data, it shall ensure compliance with the Payment Card Industry Data Security Standard (PCI-DSS) at the applicable level.

8. Personal Data Breach Notification

8.1 The Processor shall notify Cazzaniga & Gaudenzi without undue delay, and in any event within forty-eight (48) hours of becoming aware of a Personal Data Breach affecting Personal Data processed under this Agreement, in order to enable the Controller to comply with its notification obligations to the Garante under Article 33 GDPR (which requires notification within seventy-two (72) hours of becoming aware of a breach).

8.2 The notification provided by the Processor pursuant to Section 8.1 shall, to the extent information is available at the time of notification, include:

  • (a) A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
  • (b) The name and contact details of the Processor's data protection point of contact or representative from whom further information can be obtained;
  • (c) A description of the likely consequences of the Personal Data Breach;
  • (d) A description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

8.3 Where information cannot be provided simultaneously, it may be provided in phases without undue further delay, in accordance with Article 33(4) GDPR.

8.4 The Processor shall cooperate fully with Cazzaniga & Gaudenzi and provide all reasonable assistance required to enable the Controller to comply with its obligations under Articles 33 and 34 GDPR, including notification to affected Data Subjects where required.

8.5 The Processor shall document all Personal Data Breaches, including those that do not require notification to the Garante, pursuant to Article 33(5) GDPR, and shall make such documentation available to Cazzaniga & Gaudenzi upon request.

9. International Transfers of Personal Data

9.1 The Processor shall not transfer Personal Data processed under this Agreement to a third country outside the European Economic Area or to an international organisation without the prior written authorisation of Cazzaniga & Gaudenzi and unless:

  • (a) The transfer is to a country benefiting from an adequacy decision adopted by the European Commission pursuant to Article 45 GDPR;
  • (b) Appropriate safeguards pursuant to Article 46 GDPR are in place, including execution of Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914);
  • (c) A derogation under Article 49 GDPR applies in specific situations.

9.2 Where the Processor relies on Standard Contractual Clauses for international transfers, it shall enter into the applicable module of the SCCs adopted pursuant to Commission Implementing Decision (EU) 2021/914 with the relevant entity in the third country, and shall provide copies to Cazzaniga & Gaudenzi upon request.

9.3 Where Processor relies on Standard Contractual Clauses, Processor shall conduct and document a Transfer Impact Assessment in accordance with the guidance issued by the European Data Protection Board, and shall make such assessment available to Cazzaniga & Gaudenzi upon request.

9.4 The Processor shall promptly inform Cazzaniga & Gaudenzi of any changes to the legal framework of any third country to which it transfers Personal Data that may affect the level of protection afforded to such data.

10. Data Protection Officer

10.1 Where the Processor is required to designate a Data Protection Officer pursuant to Article 37 GDPR, it shall communicate the contact details of its Data Protection Officer to Cazzaniga & Gaudenzi and shall keep such information updated.

10.2 The Processor shall ensure that its Data Protection Officer or equivalent privacy contact is available to liaise with Cazzaniga & Gaudenzi and the Garante in connection with the processing activities governed by this Agreement.

10.3 If Cazzaniga & Gaudenzi has appointed a Data Protection Officer or privacy contact, the Processor shall direct relevant data protection queries and communications to that designated person.

11. Data Protection Impact Assessments and Prior Consultation

11.1 Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the Processor shall assist Cazzaniga & Gaudenzi in carrying out a Data Protection Impact Assessment (DPIA) as required under Article 35 GDPR, providing all relevant information in its possession concerning the processing operations.

11.2 The Processor shall assist Cazzaniga & Gaudenzi in carrying out any prior consultation with the Garante required under Article 36 GDPR where a DPIA indicates that processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk.

11.3 Processing activities in the e-commerce context that may require a DPIA include, but are not limited to, large-scale profiling of Data Subjects for targeted marketing, implementation of new tracking or analytics technologies, and the use of automated decision-making processes that produce legal or similarly significant effects on Data Subjects.

12. Audit and Inspection Rights

12.1 The Processor shall make available to Cazzaniga & Gaudenzi, upon reasonable written request and with not less than fifteen (15) business days' notice (except in the case of a suspected Personal Data Breach or regulatory investigation where notice requirements may be reduced), all information necessary to demonstrate compliance with the obligations set out in Article 28 GDPR and this Agreement.

12.2 Cazzaniga & Gaudenzi, or an auditor mandated by it, shall have the right to conduct audits and inspections of the Processor's data processing activities and facilities relevant to this Agreement no more than once per calendar year, unless a reasonable cause for additional audits exists, including following a Personal Data Breach.

12.3 The Processor shall cooperate fully with such audits and shall ensure that relevant personnel and documentation are made available. Costs associated with the audit shall be borne by Cazzaniga & Gaudenzi unless the audit reveals a material breach of this Agreement by the Processor, in which case costs shall be borne by the Processor.

12.4 Where the Processor holds a current, relevant third-party certification (e.g., ISO/IEC 27001) or audit report (e.g., SOC 2 Type II) covering the processing activities under this Agreement, such reports may be provided in substitution for part of an audit, at the sole discretion of Cazzaniga & Gaudenzi.

13. Term and Termination

13.1 This Agreement shall enter into force on the date of the last signature by either Party and shall remain in effect for the duration of the commercial relationship between the Parties.

13.2 Either Party may terminate this Agreement upon thirty (30) calendar days' written notice to the other Party, unless a shorter notice period is specified in the principal commercial agreement between the Parties.

13.3 Either Party may terminate this Agreement with immediate effect by written notice if the other Party commits a material breach of this Agreement or the GDPR that is not remedied within fifteen (15) calendar days of receipt of written notice identifying the breach.

13.4 Upon termination or expiry of this Agreement, the Processor shall, at the election of Cazzaniga & Gaudenzi made in writing within thirty (30) days of termination, either:

  • (a) Return all Personal Data (and any existing copies thereof) to Cazzaniga & Gaudenzi in a commonly used and machine-readable format; or
  • (b) Securely delete and destroy all Personal Data and certify in writing to Cazzaniga & Gaudenzi that such deletion and destruction has been completed,

unless Union law or the law of the Italian Republic requires continued storage of the Personal Data.

13.5 Sections 4, 7, 8, 9, 12, 14, and 15 of this Agreement shall survive termination or expiry.

14. Liability

14.1 Each Party's liability under this Agreement shall be subject to the provisions of the GDPR, in particular Articles 82, 83, and 84, and to any applicable provisions of Italian national law implementing or supplementing the GDPR, including Legislative Decree No. 196/2003 (as amended by Legislative Decree No. 101/2018) (the "Italian Privacy Code").

14.2 Where both the Controller and Processor are responsible for damage caused by processing in violation of the GDPR, each shall be held liable for the entire damage under Article 82(4) GDPR, subject to the right of recovery from the other Party to the extent that liability is established.

14.3 The Processor shall be exempt from liability under Article 82(3) GDPR if it proves that it is not in any way responsible for the event giving rise to the damage.

14.4 Nothing in this Agreement shall limit or exclude either Party's liability to the extent that such liability cannot be excluded or limited under applicable law, including liability for fraud, gross negligence, or wilful misconduct.

15. General Provisions

15.1 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the Italian Republic, including the provisions of the Italian Privacy Code (Legislative Decree No. 196/2003, as amended), and interpreted in conformity with the GDPR.

15.2 Jurisdiction

Any dispute arising out of or in connection with this Agreement that cannot be resolved by mutual agreement shall be subject to the exclusive jurisdiction of the courts of Italy, with the competent court to be determined in accordance with applicable Italian procedural rules.

15.3 Entire Agreement

This Agreement, together with its Annexes, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior agreements, representations, and understandings relating to data processing between the Parties.

15.4 Amendments

This Agreement may only be amended by a written instrument signed by duly authorised representatives of both Parties. Any changes required to bring this Agreement into compliance with new or amended data protection legislation shall be incorporated as soon as reasonably practicable.

15.5 Severability

If any provision of this Agreement is found to be invalid or unenforceable by a competent court or supervisory authority, the remaining provisions shall continue in full force and effect. The Parties shall negotiate in good faith to replace the invalid or unenforceable provision with a valid provision that, to the greatest extent possible, achieves the same economic and legal effect.

15.6 Assignment

Neither Party may assign its rights or obligations under this Agreement without the prior written consent of the other Party, except that Cazzaniga & Gaudenzi may assign this Agreement to a successor entity in connection with a merger, acquisition, or sale of substantially all of its assets, provided that the successor entity assumes all obligations under this Agreement.

15.7 Notices

All notices and communications under this Agreement shall be in writing and delivered by email (with confirmation of receipt) or by registered mail to the addresses of the respective Parties as set out in the signature block below or as otherwise notified in writing.

15.8 Language

This Agreement is executed in the English language. In the event of any conflict between an English version and any translation, the English version shall prevail.

Annex A — Technical and Organisational Security Measures

The Processor shall implement and maintain, at minimum, the following technical and organisational measures in relation to Personal Data processed on behalf of Cazzaniga & Gaudenzi:

A.1 Access Control

  • Role-based access control (RBAC) ensuring access to Personal Data is limited to personnel who require it to perform their designated functions;
  • Multi-factor authentication (MFA) for all systems storing or processing Personal Data;
  • Formal access provisioning and de-provisioning procedures;
  • Regular review of access rights, conducted at least every six (6) months.

A.2 Encryption and Pseudonymisation

  • Encryption of Personal Data at rest using industry-standard algorithms (minimum AES-256);
  • Encryption of Personal Data in transit using TLS 1.2 or higher;
  • Pseudonymisation of Personal Data where technically feasible and appropriate to the processing context.

A.3 Data Integrity and Availability

  • Regular automated backups of Personal Data with defined recovery time objectives (RTO) and recovery point objectives (RPO);
  • Business continuity and disaster recovery plans tested at least annually;
  • Redundant infrastructure to ensure availability and resilience of processing systems.

A.4 Incident Detection and Response

  • Security information and event management (SIEM) systems or equivalent monitoring;
  • Documented incident response procedures with defined escalation paths;
  • Regular penetration testing and vulnerability assessments;
  • Patch management procedures ensuring timely application of security updates.

A.5 Physical Security

  • Restricted physical access to data centres and server rooms;
  • Environmental controls including fire suppression, cooling, and power redundancy;
  • Secure disposal of physical media containing Personal Data.

A.6 Organisational Measures

  • Documented data protection policies and procedures aligned with GDPR requirements;
  • Mandatory data protection and information security training for all personnel with access to Personal Data, conducted at least annually;
  • Confidentiality agreements binding all personnel with access to Personal Data;
  • Designated internal responsibility for data protection compliance.

Annex B — Specific Instructions for Processing

The Processor is authorised to process Personal Data solely in accordance with the following documented instructions issued by Cazzaniga & Gaudenzi:

B.1 Process customer order data exclusively for the purpose of fulfilling purchases made through https://cazzanigaegaudenzi.com.

B.2 Process payment data exclusively through PCI-DSS compliant payment processing systems; the Processor shall not store full payment card numbers in raw form.

B.3 Transmit delivery and shipping data to authorised logistics Sub-processors solely for the purpose of delivering orders to customers.

B.4 Retain Personal Data only for the periods specified in Cazzaniga & Gaudenzi's data retention schedule, copies of which will be provided to the Processor upon request.

B.5 Process Personal Data for marketing and promotional communications only in respect of Data Subjects who have provided valid, documented consent in accordance with Article 6(1)(a) and Article 7 GDPR and, where applicable, the ePrivacy Directive (2002/58/EC).

B.6 Not combine Personal Data obtained under this Agreement with personal data obtained from other sources or clients of the Processor without the prior written consent of Cazzaniga & Gaudenzi.

B.7 Promptly follow any updated written instruction issued by Cazzaniga & Gaudenzi that does not conflict with applicable data protection law.

Annex C — Approved Sub-processors

The following Sub-processors have been authorised by Cazzaniga & Gaudenzi as of the effective date of this Agreement. The Processor shall notify Cazzaniga & Gaudenzi of any proposed changes to this list in accordance with Section 6.2 of this Agreement.

Sub-processor Name Registered Country Processing Activity Transfer Mechanism
Shopify International Limited Ireland E-commerce platform services for EEA/UK/Swiss merchant customer personal data, including store hosting, checkout, order management, customer account functionality, product catalogue, merchant services and related platform operations EEA processing. Onward transfers handled under Shopify’s Data Processing Addendum, including adequacy decisions, Standard Contractual Clauses, Data Privacy Framework or other lawful safeguards where applicable.
[Sub-processor 2] [Country] [e.g., Cloud hosting / infrastructure]
[Sub-processor 3] [Country] [e.g., Email and transactional messaging] [e.g., SCCs (EU 2021/914)]
[Sub-processor 4] [Country] [e.g., Shipping and logistics] [e.g., EEA — no transfer mechanism required]
[Sub-processor 5] [Country] [e.g., Analytics and website performance] [e.g., SCCs (EU 2021/914)]

The Processor shall ensure that valid data processing agreements or Standard Contractual Clauses are in place with each Sub-processor listed above prior to any processing of Personal Data.

Signatures

This Agreement is entered into by the duly authorised representatives of each Party as indicated below.

For and on behalf of the Controller: Cazzaniga & Gaudenzi

Name: ___________________________

Title: ___________________________

Signature: ___________________________

Date: ___________________________

For and on behalf of the Processor: [Processor Name]

Name: ___________________________

Title: ___________________________

Signature: ___________________________

Date: ___________________________