Corporate merch in other countries:AMArmeniaGEGeorgiaTRTürkiyeRSSerbiaAEUAECYCyprusPTPortugalPLPolandESSpain

Data processing agreement

GDPR Article 28 agreement available to Italy customers who entrust us with processing personal data on their behalf.

When a DPA is needed

A DPA is required whenever you (controller) instruct us (processor) to process personal data — for example when you send us a list of recipient employees and home addresses for direct shipment of welcome kits, or when we operate a redemption portal under your brand where employees self-register. Standard B2B contact data of your procurement team does not normally require a DPA because we are a controller for that data.

What our DPA covers

Our template covers Article 28 mandatory clauses: subject-matter and duration, nature and purpose, categories of data and data subjects, controller obligations, processor obligations, sub-processor list and change notification (30 days), confidentiality, technical and organisational measures (Annex II), assistance with rights requests and breach notification (72 hours), audit rights (one per year, 60-day notice, NDA-bound), deletion or return on termination.

Sub-processors and international transfers

Our current sub-processors include EU print partners, EU and US cloud infrastructure (SCCs 2021/914 module 3 + supplementary measures), a transactional email provider and customer-support tooling. Updates are published on our trust page. For Italy the controller can object to a new sub-processor within 30 days; if not resolved, the controller may terminate without penalty. National specificities under Legislative Decree 196/2003 as amended by D.Lgs. 101/2018, transposing the GDPR are reflected in the DPA where applicable.

FAQ

How do I sign the DPA?

Email [email protected] with your company details and we send a pre-filled PDF for digital signature. Turnaround: 2 business days.

Do you accept our customer DPA paper?

Yes after legal review (usually 5 business days). For mid-size orders our template is recommended to save time.

Where are servers located?

Primary EU (Frankfurt/Amsterdam). Backup encrypted snapshots in the EU. No production data in non-EU regions.

Can I audit you on-site?

Yes, once per year with 60-day notice. We also share SOC 2 / ISO 27001 reports under NDA to satisfy most audit needs without on-site visits.

What is the breach-notification SLA?

We notify the controller without undue delay and in any case within 48 hours of becoming aware, well inside the 72-hour deadline to the supervisory authority.

Contact