By clicking "Accept", you agree to the storage of cookies on your device to improve site navigation, analyze site usage, and support our marketing efforts. See our Privacy Policy for more information.

PreferencesRejectAccept
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Preferences

Data processing agreement

CONTROLLER - PROCESSOR

PROCESSOR - SUB-PROCESSOR

This Data Processing Agreement (Data Protection Agreement or DPA) governs the processing of personal data carried out by Indigo.ai S.r.l., with registered office in Milan, Piazza Gae Aulenti 1 - Torre B, tax code and VAT number 04832520268, registered with the Companies’ Register at the Chamber of Commerce of Milan Monza Brianza Lodi under REA no. MI-20123, certified email (PEC) indigoai@legalmail.it, on behalf of the Client who makes use of the chatbot services offered by Indigo.ai, also pursuant to Article 28 of Regulation (EU) 2016/679 (also GDPR).

This agreement forms an integral part of the Agreement entered into between Indigo.ai and the Client concerning the service offered by Indigo.ai, and shall take effect from the date of execution of the Agreement.

It is specified that:

  • where the commissioning Client qualifies, with regard to the personal data processed on its behalf by Indigo.ai, as Data Controller, Indigo.ai shall act as Data Processor pursuant to Article 28(1) GDPR;
  • where, instead, the commissioning Client qualifies, with regard to such personal data, as Data Processor, Indigo.ai shall act as Sub-Processor pursuant to Article 28(2) GDPR.

The duties and responsibilities set out in this DPA are entrusted to Indigo.ai on the basis of the declarations made by the same to the Client regarding the experience, capacity and reliability required of a subject performing the function of Data Processor pursuant to Article 28 GDPR.

By signing this agreement, Indigo.ai declares itself available and competent for the full implementation of the provisions of the GDPR, confirms its direct and thorough knowledge of the obligations it assumes under the GDPR, accepts the appointment, and confirms that it has its own organization which it declares suitable to allow the processing of data in compliance with legislative provisions, including with regard to the security of personal data, and undertakes to process such data in accordance with the instructions given in full compliance with the requirements of Article 28(a) GDPR.

Within the limits of its competences and responsibilities, Indigo.ai shall ensure compliance with legal obligations, always in accordance with the directives and under the supervision of the Client.

In order to enable Indigo.ai to perform the tasks and responsibilities better specified below, the following specific instructions are provided for the performance of the assigned task.

1. Definitions

Where this DPA refers to notions, terms or provisions concerning the processing of personal data, the terms used shall have the same meaning as provided by the Applicable Law and, in particular, by Article 4 of the GDPR. Where a term does not appear among the definitions contained in the Applicable Law, its meaning shall be that indicated in the clarifications below.

In particular, the Client’s attention is drawn to the following definitions:

a. “Personal Data”: any information relating to an identified or identifiable natural person;

b. “Processing”: any operation carried out on personal data, whether in paper or electronic form;

c. “Client”: the entity that commissions Indigo.ai S.r.l. for the chatbot service referred to in the Agreement;

d. “Agreement”: the agreement between Indigo.ai S.r.l. and the Client relating to the service offered by Indigo.ai;

e. “Data Controller”: the entity that determines the purposes and means of the processing of data;

f. “Data Processor”: the entity that processes data on behalf of the Data Controller, in accordance with the rules set out in Article 28 GDPR;

g. “Sub-Processor” or “Further Processor”: an entity appointed as Data Processor by a subject that already qualifies as Data Processor or Sub-Processor;

h. “Data Breach”: a personal data breach pursuant to Article 33 GDPR;

i. “Supervisory Authority”: the competent authority in Italy for the protection of personal data;

j. “Technical and organizational security measures”: measures aimed at protecting personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, as provided by the Applicable Law and in particular Article 32 GDPR, and all further technical and organizational measures necessary to ensure a level of security appropriate to the risk, taking into account the nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons;

k. “Applicable Law”: the set of relevant rules concerning the processing of personal data to which subjects processing personal data in Italy are subject, including: (i) Regulation (EU) 2016/679 (or GDPR); (ii) Legislative Decree 196/2003 or the Personal Data Protection Code (or Code); (iii) any guideline, law, code or provision issued by competent bodies or other supervisory authorities, including national legislation adapting to the GDPR and the provisions of the Supervisory Authority from time to time applicable; (iv) European legislation and the provisions and clarifications of the European Data Protection Board (EDPB).

2. General instructions pursuant to Article 28 GDPR

Indigo.ai shall comply with the provisions of Article 28 of Regulation (EU) 2016/679 and shall have the following tasks and responsibilities and therefore shall:

i. keep a record, as provided for by Article 30 GDPR, in electronic format, of the categories of processing activities carried out on behalf of the Client;

ii. organize the structures, offices and competences necessary and suitable to ensure the proper performance of the Activities, in relation to compliance with the Applicable Law on data protection;

iii. not disclose the data processed on behalf of the Client;

iv. ensure that persons authorized to process the data receive adequate instructions and training regarding the protection and management of personal data, and that they are bound by a duty of confidentiality in relation to the processed data, compatible with the performance of the Agreement, or are subject to a legal obligation of confidentiality;

v. adopt the Technical and organizational security measures required pursuant to Article 32 GDPR;

vi. assist the Client in ensuring compliance with Articles 32–36 GDPR, taking into account the nature of the processing and the information available to the Sub-Processor;

vii. taking into account the nature of the processing, assist the Client with appropriate technical and organizational measures, insofar as possible, in fulfilling the Client’s obligation to respond to requests for the exercise of data subject rights under Chapter III GDPR;

viii. notify the Client without undue delay and in any case within 72 hours from becoming aware thereof, pursuant to Article 33 GDPR, in the event of a Data Breach;

ix. process the data only on the basis of documented instructions from the Client or in accordance with operations strictly necessary for the performance of the Agreement with the Client and refrain from transferring such data outside the European Union or the European Economic Area without the prior written consent of the Client, unless required by Applicable Law;

x. upon written request of the Client, delete or return all personal data processed on its behalf once the Agreement is no longer in force and delete existing copies, unless Applicable Law requires storage of the data. The costs relating to the implementation of this obligation shall be borne by the Client. Indigo.ai reserves in any case the right to retain the data for 10 years following termination of the service Agreement in order to comply with legal obligations and to safeguard its right of defense, providing, where available, the information necessary pursuant to Article 33(3) GDPR, limited to data strictly necessary and proportionate to comply with legal obligations or for the establishment, exercise or defense of legal claims, in compliance with the principles of data minimization and storage limitation;

xi. inform the Client, within a reasonable time, of any requests from data subjects received by Indigo.ai, sending a copy of such requests to the email or PEC address indicated above and cooperating to ensure the possibility for data subjects to exercise their rights under the Applicable Law;

xii. inform the Client within a reasonable time of any request or communication from the Supervisory Authority or the Judicial Authority received by Indigo.ai in order to jointly agree on the response;

xiii. send the Client all communications provided for in this deed to the contact details indicated by the Client at the time of execution of the Agreement or to any other contact details subsequently communicated in writing by the Client;

xiv. refrain from processing the data processed on behalf of the Client for its own purposes;

xv. allow, within reasonable limits and upon prior notice, the performance of audit or verification activities by the Client or by subjects appointed by the latter, solely for the purpose of demonstrating compliance with the obligations set out in this Agreement and Article 28 GDPR.

3. Clarifications regarding the duration, nature and purpose of the processing, the type of personal data processed and the categories of data subjects

Pursuant to Article 28 GDPR, it is specified that:

i. the duration of the data processing by Indigo.ai on behalf of the Client coincides with the duration of this Data Processing Agreement, which in turn coincides with the duration of the Agreement; the data shall subsequently be retained for the period strictly necessary to comply with legal obligations and, in any case, no longer than 10 years from termination of the contractual relationship, and in any event limited to data strictly necessary and proportionate to comply with legal obligations or for the establishment, exercise or defense of legal claims, in compliance with the principles of data minimization and storage limitation;

ii. the processing of data, in relation to the performance of the Agreement, consists of the processing of personal data of subjects who use the chatbot service offered by the Client through the services of Indigo.ai;

iii. the purpose of the processing consists of the proper and timely performance of the Agreement;

iv. the personal data processed consist of personal data voluntarily entered by subjects who use the chatbot service offered by the Client through the services of Indigo.ai;

v. the categories of data subjects to whom the personal data relate are natural persons who are customers of the Client and, more generally, users of the chatbot.

4. Sub-Processors

The Client authorizes Indigo.ai to engage Further Processors capable of providing sufficient guarantees regarding the adoption of adequate technical and organizational measures for data processing pursuant to the GDPR. Indigo.ai shall inform the Client of any intended changes concerning the addition or replacement of other processors, thereby giving the Client the opportunity to object to such changes. Where Indigo.ai engages a sub-processor to carry out specific processing activities on behalf of the Client, the same data protection obligations as set out in the contract or other legal act between Indigo.ai and the Sub-Processor shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of this Regulation. Where the sub-processor fails to fulfill its data protection obligations, Indigo.ai shall remain fully liable to the Client for the performance of the sub-processor’s obligations.

The list of sub-processors engaged by Indigo.ai is available upon request by the Client.

Indigo.ai has adopted a formal process for the periodic approval or updating of the list of sub-processors.

5. AI Processing

Processing of data through AI and chatbot systems

Indigo.ai guarantees that personal data processed through chatbot/voicebot systems are handled in compliance with the GDPR and the Applicable Law, including the interpretation provided by the EDPB in recent opinions (for example, Opinion 28/2024).

Indigo.ai documents and regularly assesses any processing of personal data within AI models, clearly distinguishing between anonymized data and personal data, and adopts technical and organizational measures to ensure data protection.

Data subjects may exercise their rights (access, rectification, erasure, objection, restriction) also in relation to data processed through AI. Indigo.ai assists the Client in responding to such requests within the time limits provided by law.

Where AI models generate data that may indirectly identify an individual, such data shall be treated as personal data under the GDPR, with all applicable security, retention and documentation measures.

6. Client information and instructions in violation of Applicable Law

Indigo.ai undertakes to make available to the Client the information necessary to demonstrate compliance with the obligations set out in Article 28 GDPR. Indigo.ai further undertakes to inform the Client where it considers that an instruction provided by the latter violates the provisions of the Applicable Law. Following such communication, Indigo.ai shall not be required to comply with the contested instruction.

7. Duration – Applicable law and competent court

This Data Processing Agreement shall take effect from the date of execution of the Agreement and shall remain in force for the duration of the Agreement. This Data Processing Agreement, as well as any claim, demand or dispute relating thereto, shall be governed by the Applicable Law. The Court of Milan shall have exclusive jurisdiction for any dispute relating to this agreement, to the exclusion of any other court.

8. Liability

Indigo.ai’s liability, with regard to the breach of obligations arising from this Data Processing Agreement and from the Applicable Law on data protection, including with regard to the activity of any Sub-Processors, shall be limited to the actual damage effectively suffered by the Client as an immediate and direct consequence of gross negligence or willful misconduct of Indigo.ai or of one of its Sub-Processors.

9. Final clause

Indigo.ai is bound by the obligations set out in the Applicable Law, as well as those set out in the Agreement and in this Data Processing Agreement, and enjoys the rights established by the same legal and contractual sources.

10. Transfer of Data outside the European Union

In the event of a written request from the Client to transfer personal data outside the European Economic Area, the Client – assuming full responsibility – guarantees that it has implemented the appropriate measures required under Chapter V of the GDPR in order to allow Indigo.ai to transfer such Data.

Where personal data must be transferred outside the European Economic Area, Indigo.ai may proceed only upon written instruction from the Client.

The Client guarantees that appropriate measures pursuant to Chapter V GDPR have been implemented to allow the transfer of data (e.g., Standard Contractual Clauses approved by the European Commission, Binding Corporate Rules, specific derogations).

Indigo.ai verifies that such transfers comply with EDPB Guidelines 02/2024, in particular with regard to requests from non-EU authorities, and documents the protective measures applied.

Where a non-EU authority requests personal data, Indigo.ai shall promptly inform the Client and cooperate with it to assess the compatibility of the transfer with the GDPR and the safeguards adopted.

All transfers outside the EU must be tracked and documented, with evidence of the legal bases used and of the supplementary measures applied to ensure protection equivalent to that in the EU. Without prejudice to the provisions of this clause, Indigo.ai, as Data Processor within the scope of the Services, verifies, to the extent of its competence and as applicable, that any transfers of personal data to third countries or international organizations carried out in the context of the provision of the Services are based on valid transfer tools pursuant to the GDPR, such as, by way of example, Standard Contractual Clauses (SCC), Binding Corporate Rules (BCR) or other mechanisms recognized pursuant to Articles 44 et seq. GDPR. Indigo.ai documents such verifications and makes the relevant documentation available to the Client upon request, reasonably cooperating with the Client for the purpose of demonstrating compliance with the applicable requirements, it being understood that the Client remains responsible, as Data Controller, for assessing the legal framework applicable to its specific processing and related use cases.

Last amendment: 12/01/2026.