DATA PROCESSING AGREEMENT

Effective Date: August 25, 2025

This Data Processing Agreement ("DPA") forms part of the Customer Terms of Service ("Agreement") between Sagewill SRL, located at Via Panciatichi 16, 50141, Firenze (FI), Italy, VAT number IT07481150485 ("Processor" or "Sagewill SRL") and the Customer ("Controller" or "Customer") using the Palpaca service.

1. DEFINITIONS

1.1 "Personal Data" means any information relating to an identified or identifiable natural person.

1.2 "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

1.3 "Data Subject" means the individual to whom Personal Data relates.

1.4 "Applicable Law" means GDPR (Regulation (EU) 2016/679) and any other applicable data protection laws.

1.5 "Sub-processor" means any third party engaged by Processor to process Personal Data.

2. SCOPE AND ROLES

2.1 Relationship of the Parties

The parties acknowledge that:

Customer is the Controller of Personal Data
Sagewill SRL is the Processor acting on behalf of the Controller
This DPA applies to all Processing activities performed by Sagewill SRL for the Customer

2.2 Nature of Processing

Sagewill SRL processes data solely to provide the Palpaca service, which involves:

Facilitating data display within HubSpot interfaces
Routing data between HubSpot and external sources
Collecting anonymized usage metrics

3. DATA PROCESSING DETAILS

3.1 Categories of Data Subjects

Customer's employees and users
Customer's data within their HubSpot CRM
End users interacting with Customer's HubSpot portal

3.2 Types of Personal Data Processed

Application Usage Data (Anonymized):

UI creation metrics
Component usage statistics
Feature adoption rates
Performance metrics

Note: No Customer CRM data is stored on Sagewill SRL's infrastructure. All CRM data remains within Customer's HubSpot environment and connected systems.

3.3 Purpose of Processing

Providing the Palpaca service
Service improvement and optimization
Technical support
Compliance with legal obligations

3.4 Duration of Processing

Processing occurs during the term of the Agreement and for up to 30 days following termination for data export purposes.

4. DATA PROCESSING PRINCIPLES

4.1 Processor Obligations

Sagewill SRL shall:

Process Personal Data only on documented instructions from the Customer
Ensure confidentiality of personnel processing Personal Data
Implement appropriate technical and organizational measures
Not transfer Personal Data outside the EEA without appropriate safeguards
Assist Customer in responding to Data Subject requests
Delete or return all Personal Data upon termination

4.2 Data Minimization

Sagewill SRL practices data minimization by:

Not storing Customer CRM data
Collecting only essential anonymized usage metrics

5. TECHNICAL AND ORGANIZATIONAL MEASURES

5.1 Security Measures

Technical Measures:

Secure API authentication (OAuth 2.0)
Regular security updates and patches
Access logging and monitoring
Web application firewall

Organizational Measures:

Access control on need-to-know basis
Confidentiality agreements with personnel
Regular security training
Incident response procedures
Business continuity planning

5.2 Data Isolation

Customer data streams are isolated from other customers
Logical separation of customer environments
No cross-tenant data access

6. SUB-PROCESSORS

6.1 Authorized Sub-processors

Current authorized sub-processors:

Sub-processor	Purpose	Location
HubSpot	Marketing data storage	EU
Cloudflare	Infrastructure, CDN and security	Global

6.2 Sub-processor Changes

Sagewill SRL will notify Customer of sub-processor changes with 30 days' notice
Customer may object to new sub-processors within 14 days
If objection cannot be resolved, Customer may terminate the Agreement

6.3 Sub-processor Requirements

All sub-processors must:

Provide sufficient guarantees of compliance
Be bound by data protection obligations no less protective than this DPA
Process data only as instructed

7. DATA SUBJECT RIGHTS

7.1 Assistance with Requests

Sagewill SRL will:

Promptly notify Customer of any Data Subject request
Assist Customer in fulfilling Data Subject rights
Not respond directly to Data Subjects unless authorized

7.2 Data Subject Rights Include:

Access to Personal Data
Rectification of inaccurate data
Erasure ("right to be forgotten")
Data portability
Restriction of processing
Objection to processing

8. DATA BREACH NOTIFICATION

8.1 Breach Response

Upon becoming aware of a Personal Data breach, Sagewill SRL will:

Notify Customer without undue delay and within 48 hours
Provide details of the breach including:

Nature of the breach
Categories and number of Data Subjects affected
Likely consequences
Measures taken or proposed

8.2 Breach Assistance

Sagewill SRL will:

Cooperate in investigation and remediation
Implement measures to prevent recurrence
Document all breaches and responses

9. AUDIT AND COMPLIANCE

Customer has the right to:

Request information about Sagewill SRL's compliance
Review security certifications and reports

10. DATA LOCATION AND TRANSFERS

10.1 Data Location

Anonymized usage data: EU data centers
Marketing data: EU HubSpot instance

10.2 International Transfers

Any transfers outside the EEA will be subject to:

Standard Contractual Clauses
Adequacy decisions
Other appropriate safeguards under GDPR

11. DATA RETENTION

The following data retention periods are observed:

Anonymized usage data: 48 months
Temporary cache data: Deleted immediately after processing
Application Logs: 90 days

12. LIABILITY AND INDEMNIFICATION

12.1 Liability

Each party's liability is governed by the limitation of liability provisions in the Agreement, subject to mandatory provisions of Applicable Law.

12.2 Indemnification

Each party shall indemnify the other against damages resulting from its breach of this DPA or Applicable Law.

13. CONFIDENTIALITY

13.1 Confidential Information

All Personal Data is considered Confidential Information and subject to confidentiality obligations in the Agreement.

13.2 Disclosure

Confidential Information may only be disclosed:

To comply with legal obligations
With prior written consent
To personnel on a need-to-know basis

14. GDPR SPECIFIC PROVISIONS

14.1 Data Protection Officer

Contact: arrigo@palpaca.app

14.2 Records of Processing

Sagewill maintains records of all processing activities as required by Article 30 GDPR.

14.3 Privacy by Design

Sagewill implements privacy by design principles including:

Data minimization
Purpose limitation
Default privacy settings

15. GOVERNING LAW AND JURISDICTION

This DPA is governed by Italian law. Disputes shall be resolved in the courts of Florence, Italy.

16. AMENDMENTS

This DPA may only be amended in writing signed by both parties.

17. SEVERABILITY

If any provision is invalid or unenforceable, the remainder of this DPA remains in effect.

18. ORDER OF PRECEDENCE

In case of conflict:

Mandatory provisions of Applicable Law
This DPA
The Agreement

ANNEX 1: DESCRIPTION OF PROCESSING

Purpose: Provision of Palpaca no-code card builder service for HubSpot

Nature of Processing:

Display of CRM data within custom UI components
Routing data between systems
Collection of anonymized usage metrics

Categories of Personal Data:

User account information (email, name)
CRM data (processed but not stored)
Usage patterns (anonymized)

Categories of Data Subjects:

Customer employees
CRM records
End users

Duration: During term of Agreement plus 30-day wind-down period

ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES

Access Control:

Multi-factor authentication
Role-based access control
Regular access reviews

Data Security:

Regular vulnerability scanning

Business Continuity:

Regular backups
Service redundancy

By executing the Agreement, the parties agree to be bound by the terms of this Data Processing Agreement.