4Partners Companies Now

Data Processing Agreement

How SINAURA processes personal data on your behalf — Version 1.3 · 16 May 2026

How SINAURA processes personal data on your behalf.

This Data Processing Agreement (the "DPA") is entered into by and between the Customer, acting as Controller pursuant to Art. 4(7) GDPR, and SINAURA S.R.L. ("SINAURA"), acting as Processor pursuant to Art. 4(8) GDPR, in connection with the provision of the AriaPLT™ industrial AgenticAI platform.

Version 1.3 · Last updated: 16 May 2026 · Reference: GDPR · Italian D.Lgs. 196/2003 · EU AI Act (Reg. 2024/1689) · EU Data Act (Reg. 2023/2854) · NIS2 (Dir. 2022/2555)

Changelog v1.2 → v1.3 (16 May 2026) — Strengthening amendments aligned with EDPB Guidelines 9/2022 (breach), 07/2020 (controller/processor), 04/2024 (anonymisation), Opinion 28/2024 (AI training), CJEU C-203/22, and EU AI Act provider/deployer allocation. Material changes to: §3.4, §3.5 (breach window 48h → 24h), §3.7 (audit articulation), §4 (fallback SCC + government access), §5 (critical sub-processors), §6 (opt-out → opt-in; AI Act roles), §7 (Art. 82 GDPR safeguard, insurance). Annex 1.D and Annex 4 aligned. No NIS2-specific clause added in this revision.

ACCEPTANCE AND INCORPORATION BY REFERENCE

This DPA does not require a separate signature. It is an integral part of the contractual document set governing the use of the AriaPLT™ platform and is incorporated by reference into the Terms of Service (the "ToS") of AriaPLT™, available at sinauragroup.com/en/legal/terms-of-service, and into the Master Services Agreement (the "MSA"), available at sinauragroup.com/en/legal/msa.

By accepting the ToS — in any of the modalities set out under "Acceptance of these Terms" of the ToS (clicking "I agree" at registration, executing an Order Form referencing the ToS, accessing the Platform via an Evaluation Account or Authorised User credentials, or otherwise interacting with the Platform on behalf of the Customer) — the Customer simultaneously and bindingly accepts this DPA, including all its Annexes, with full effect under Art. 28 GDPR. The "Effective Date" of this DPA coincides with the Effective Date of the ToS as defined therein.

Acceptance is recorded by SINAURA in an immutable log including the timestamp, the version of the DPA accepted, the IP address and user-agent of the accepting person, and the cryptographic hash of the accepted text, in accordance with Reg. (EU) 910/2014 (eIDAS) and Italian D.Lgs. 82/2005 (Digital Administration Code). Such record constitutes admissible evidence of acceptance equivalent to a written signature for the purposes of Art. 28(9) GDPR ("in writing, including in electronic form").

Where the Customer has executed an MSA or Order Form referencing this DPA, the signature applied by the Customer to such MSA or Order Form is deemed to extend to this DPA. Where the Customer requires a counter-signed copy of this DPA for its internal records, SINAURA shall provide one upon written request sent to info@sinauragroup.com or, for formal communications, via certified email at sinaurasrl@legalmail.it.

Cross-reference: see ToS — "The Agreement" preamble and Art. 23 (Applicable Addendums and Exhibits); MSA §11.10 (Order of precedence); MSA §11.15 (Counterparts and electronic signature).

Art. 28(9) GDPR provides that the Controller/Processor contract "shall be in writing, including in electronic form". Click-through acceptance with eIDAS-compliant logging therefore meets the statutory form requirement.

THE PARTIES

Controller (Customer)

CONTROLLER — The legal entity identified as the Customer in the Order Form, acting as Controller pursuant to Art. 4(7) GDPR. Customer details (legal name, registered office, VAT no., legal representative, certified email or other electronic contact) are recorded in the Account profile and in the Order Form.

Processor (SINAURA)

PROCESSOR — SINAURA S.R.L. — Viale Luigi Majno n. 7, 20122 Milan, Italy. VAT no. [to be added]. Certified email: sinaurasrl@legalmail.it. Legal representative: Valerio di Vico. Data Protection Contact: info@sinauragroup.com (SINAURA Legal Department — internal contact for data protection matters; no Data Protection Officer has been formally designated under Art. 37 GDPR as SINAURA does not, at the date of this version, meet the mandatory designation criteria of Art. 37(1) GDPR).

Jointly referred to as the "Parties" and individually as a "Party". Whereas the Parties have entered into the ToS and, where applicable, an MSA / Order Form for the use of the AriaPLT™ platform accessible at ariaplt.com, and whereas SINAURA processes personal data on behalf of the Customer in that context, the Parties agree as follows.

§1 · SUBJECT MATTER OF THE AGREEMENT

(1) The subject matter of this DPA is the processing of personal data by SINAURA in connection with the provision of the AriaPLT™ platform and related services, as described in the ToS and in the Order Form. AriaPLT™ is an industrial AgenticAI platform for the automation of technical processes (work orders, P&IDs, SCADA/PLC telemetry, ERP/CMMS integrations, vertical RAG).

This DPA is supplementary to the ToS and to the MSA (where executed). In the event of conflict, this DPA prevails to the extent the conflict concerns the processing of personal data, in accordance with the order of precedence set out in Art. 19 of the ToS and §11.10 of the MSA.

(2) Categories of personal data processed (detailed in Annex 2):

  • Account and identity data (name, business email, role, hashed credentials, MFA factors)
  • Usage and telemetry data (application logs, IP, product events, audit trail)
  • Industrial content data (technical documents, work orders, SCADA/PLC telemetry, AgenticAI outputs, agent conversations)
  • Billing and administrative data

(3) Categories of data subjects: employees, contractors, suppliers, customers and business contacts of the Customer, and any other natural person whose data is uploaded or connected to the platform by the Customer.

The Customer undertakes not to enter special categories of data pursuant to Art. 9 GDPR (health, biometric, ethnic, religious, trade-union) onto the platform without specific prior written agreement, a DPIA pursuant to Art. 35 GDPR, and corresponding adjustment of the TOMs.

§2 · DURATION OF THE AGREEMENT

This DPA has the same duration as the ToS and, where executed, the MSA. It terminates automatically upon termination of the ToS / MSA for any reason. Each Party retains the right to terminate it for cause pursuant to Art. 1456 of the Italian Civil Code, with 30 days' notice, in the event of a material breach of personal data protection obligations by the other Party.

The obligations of return / deletion of data (§3.8) and of confidentiality (§3.2) survive termination.

§3 · OBLIGATIONS OF THE PROCESSOR (SINAURA)

3.1 — Processing on documented instructions

(1) SINAURA shall process personal data only on documented instructions of the Customer, including transfers to third countries, unless required by Union or Member State law. In such case, SINAURA shall inform the Customer prior to processing, unless prohibited on important grounds of public interest. Where authorities require access to data, SINAURA shall inform the Customer without undue delay — where legally permitted — and shall refer the authority to the Customer. Processing for SINAURA's own purposes requires the Customer's prior written approval.

3.2 — Confidentiality of personnel

(2) SINAURA legally binds itself to ensuring that all personnel authorised to process the data — employees, contractors, consultants, system administrators — have committed themselves to confidentiality in writing prior to commencement of the activity, or are under an appropriate statutory obligation of professional secrecy. The confidentiality obligations remain in force after termination of the assignment and after termination of the employment or collaboration relationship.

(2-bis) SINAURA further undertakes not to use the Customer's personal data for its own purposes unrelated to the provision of the platform, not to sell, transfer or make them accessible to unauthorised third parties, and to ensure logical segregation of each tenant's data.

3.3 — Security of processing (Art. 32 GDPR)

(3) SINAURA has adopted and maintains technical and organisational measures appropriate to ensure a level of security commensurate with the risks of processing, as specified in Annex 1 (TOMs) and aligned with Directive (EU) 2022/2555 (NIS2) in SINAURA's role as ICT service provider.

3.4 — Assistance with data-subject rights

(4)

(a) Taking into account the nature of the processing, SINAURA shall implement appropriate technical and organisational measures to enable the Customer to respond to requests by data subjects under Chapter III GDPR (Arts. 15–22) within the statutory deadlines, including: (i) administration console functionalities for export, rectification, restriction and deletion of Customer Data; (ii) APIs for bulk operations; (iii) documented procedures for handling requests that cannot be fulfilled by the Customer via self-service.

(b) Where a data subject submits a request directly to SINAURA, SINAURA shall: (i) forward the request to the Customer within seventy-two (72) hours; (ii) acknowledge receipt to the data subject and direct them to the Customer as Controller; (iii) not respond to the substance of the request unless instructed by the Customer.

(c) Assistance under this clause is provided at no additional cost for ordinary volumes (up to 10 requests per quarter requiring SINAURA's manual intervention). Beyond such threshold, the Parties shall agree reasonable cost-sharing.

3.5 — Assistance with Controller obligations and Personal Data Breach Notification

(5)

(a) SINAURA shall assist the Customer in complying with its obligations under Arts. 32–36 GDPR, taking into account the nature of processing and the information reasonably available to SINAURA. Ordinary assistance shall be provided at no additional cost to the Customer as part of the subscription fee. Costs of extraordinary assistance (e.g., on-site forensic support, expert reports beyond SINAURA's standard incident response) shall be agreed in writing in advance.

(b) Upon becoming aware of a Personal Data Breach affecting Customer Data (Art. 4(12) GDPR), SINAURA shall notify the Customer without undue delay and in any event within twenty-four (24) hours of becoming aware. Where the information required by Art. 33(3) GDPR is not fully available at the time of initial notification, SINAURA shall provide an initial notification within 24 hours with the information then available, followed by supplementary notifications on a rolling basis as additional information becomes known, in accordance with EDPB Guidelines 9/2022 on personal data breach notification.

(c) The initial notification shall include, to the extent then known: (i) the nature of the breach, including where possible categories and approximate number of data subjects and records concerned; (ii) the contact point of SINAURA's Data Protection Contact (info@sinauragroup.com); (iii) likely consequences; (iv) measures taken or proposed to address the breach and mitigate adverse effects.

(d) SINAURA shall preserve all forensic evidence of the breach in a manner enabling subsequent investigation by the Customer or competent authorities, and shall cooperate in good faith with the Customer's notifications to the Garante per la protezione dei dati personali and communications to data subjects (Arts. 33–34 GDPR).

(e) SINAURA shall not disclose the breach publicly or to third parties (other than its sub-processors, regulators or law-enforcement bodies where legally required) without the Customer's prior written consent, except where SINAURA is legally compelled to do so.

3.6 — Records of processing activities

(6) SINAURA maintains a record of categories of processing activities carried out on behalf of the Customer, pursuant to Art. 30(2) GDPR, and makes it available to the supervisory authority upon request.

3.7 — Audit Rights

(7)

(a) Ordinary audits. Once per calendar year, the Customer may verify compliance with this DPA by submitting SINAURA's standard audit questionnaire and reviewing the most recent third-party attestations (SOC 2 Type II, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018 and equivalent), penetration test executive summaries, and the public TOMs (Annex 1). Such ordinary audits are included in the subscription fee.

(b) On-site or extraordinary audits. The Customer may conduct on-site audits, in person or through an independent third-party auditor (not a competitor of SINAURA) bound by a confidentiality undertaking in a form reasonably acceptable to both Parties, subject to: (i) at least thirty (30) days' prior written notice, reduced to five (5) business days in case of (1) a confirmed Personal Data Breach affecting the Customer, (2) a documented request from a competent supervisory authority, or (3) a substantiated suspicion of material non-compliance; (ii) reasonable scope tailored to the Customer's processing; (iii) execution during business hours and in a manner not unduly disrupting SINAURA's operations.

(c) Costs. Each Party shall bear its own costs of ordinary audits. Costs of on-site audits shall be borne by the Customer, except where the audit reveals material non-compliance by SINAURA, in which case SINAURA shall reimburse the Customer's reasonable audit costs and remediate the findings within a mutually agreed remediation plan.

(d) Sub-processor audits. Where verification of a sub-processor is reasonably necessary, SINAURA shall: (i) provide the sub-processor's most recent attestations and audit reports; (ii) use commercially reasonable efforts to procure audit cooperation from the sub-processor under the terms of its sub-processing agreement; (iii) for Customers subject to Regulation (EU) 2022/2554 (DORA) or to other regulatory regimes mandating direct audit rights on critical providers, negotiate in good faith the inclusion of pass-through audit rights with critical sub-processors.

(e) Regulatory audits. Audits or inspections by competent supervisory authorities (Garante, ACN, ENISA, ESAs under DORA, Commission AI Office) shall not be subject to the notice and cost provisions of this clause; SINAURA shall cooperate without restriction subject only to its legal obligations.

3.8 — Return or deletion upon termination

(8) Upon termination of this DPA, at the Customer's choice, SINAURA shall return or destroy all personal data of the Customer and any existing copies, according to the T0–T15–T30 procedure documented in Annex 4:

  • T0 — workspace closure and immediate suspension of access
  • T1–T15 — final export window (CSV / JSON / PDF / API export)
  • T16–T30 — complete deletion of accounts, embeddings, RAG vault and crypto-shredding of encrypted backups

Upon Customer request, SINAURA issues a certificate of deletion. Statutory retention obligations under Italian or EU law remain unaffected (e.g., tax records, security logs), stored exclusively in encrypted read-only archives for the time strictly required. If SINAURA processes the data in a proprietary technical format, upon Customer request it shall provide the data in the original format of receipt or in another common format.

3.9 — Notification of unlawful instructions

(9) SINAURA shall immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

3.10 — Switching support (EU Data Act, Reg. 2023/2854)

(10) In accordance with the EU Data Act, SINAURA shall provide the Customer with the technical means and reasonable cooperation necessary to switch to another provider of equivalent services or to an on-premise solution. Export tools shall return Customer Data in structured, commonly used and machine-readable formats; switching charges shall be progressively withdrawn pursuant to the timetable set by the EU Data Act, with full removal by 12 January 2027.

§4 · PLACE OF PERFORMANCE OF DATA PROCESSING AND INTERNATIONAL TRANSFERS

All production processing of Customer data takes place exclusively within the European Union, on AWS infrastructure in the Frankfurt region (eu-central-1) distributed across three Availability Zones (eu-central-1a / 1b / 1c).

  • Storage, computing and backup never outside the European Union
  • AES-256 at-rest encryption on all volumes and buckets
  • TLS 1.3 in-transit encryption on all communications
  • Daily redundant backups across 3 AZ — RPO < 24h, RTO < 4h

Any extra-EU transfers — limited to specific cases (e.g., extra-EU LLM providers activated upon Customer opt-in, sub-processors of the cloud provider for global support) — shall take place only under the conditions set out below.

(a) Hierarchy of transfer mechanisms. Any transfer of Customer Data outside the European Economic Area shall take place only under one of the following mechanisms, in the following order of preference: (i) an adequacy decision under Art. 45 GDPR, including the EU-US Data Privacy Framework (Decision (EU) 2023/1795) where the recipient is DPF-certified; (ii) Standard Contractual Clauses (Decision (EU) 2021/914), Module 2 or 3 as applicable, accompanied by a documented Transfer Impact Assessment ("TIA") and, where necessary, supplementary technical and organisational measures in accordance with EDPB Recommendations 01/2020 and 02/2020; (iii) other safeguards under Art. 46 GDPR; (iv) only in exceptional and documented cases, derogations under Art. 49 GDPR.

(b) Automatic fallback. Where an adequacy decision relied upon by SINAURA (including the EU-US Data Privacy Framework, Decision (EU) 2023/1795) is invalidated, suspended or substantially restricted, SINAURA shall, within thirty (30) days, automatically transition the affected transfers to Standard Contractual Clauses with a documented TIA, without need for further instruction from the Customer.

(c) Government access requests. SINAURA shall not disclose Customer Data to any non-EU/EEA public authority (including under the U.S. CLOUD Act, FISA Section 702, or equivalent foreign legislation) except where: (i) compelled by binding legal process; and (ii) SINAURA has, to the extent legally permitted, (1) notified the Customer prior to disclosure, (2) challenged the request through available legal remedies, and (3) limited disclosure to the minimum data strictly required. SINAURA shall publish an annual transparency report on government access requests received.

(d) TIA disclosure. SINAURA shall make available to the Customer, upon written request, the TIA conducted for each non-EEA transfer involving Customer Data, subject to confidentiality.

§5 · SUB-PROCESSORS (ART. 28(2) AND (4) GDPR)

The Customer generally authorises SINAURA to engage the sub-processors listed in Annex 3, which operate under sub-processing contracts with clauses equivalent to those of this DPA.

(1) Changes to the list — SINAURA shall notify the Customer of any addition or replacement of sub-processors at least 30 days in advance, via email to the administrative address and via update of sinauragroup.com/en/legal/dpa#annex-3-authorised-sub-processors. The Customer may object on reasoned grounds within 30 days from receipt. Where the Parties cannot agree, the Customer is entitled to terminate the MSA / Subscription limited to the affected services.

(1-bis) Critical sub-processors. Where the Customer terminates the Subscription pursuant to paragraph (1) because of an unresolved objection to a new or replacement sub-processor that is critical to the provision of the Platform (and no equivalent alternative is offered), termination shall extend to the entire MSA without early-termination penalty, and SINAURA shall refund any prepaid fees pro rata. This applies in particular to changes in the LLM provider chain affecting Customer Data.

(2) Liability — SINAURA remains fully liable to the Customer for the performance of sub-processors' obligations under this DPA.

(2-bis) Flow-down evidence. Upon Customer written request, SINAURA shall make available, subject to confidentiality and redaction of commercial terms, the relevant portions of its sub-processing agreements demonstrating equivalent data protection obligations under Art. 28(4) GDPR, or a written certification by SINAURA's Data Protection Contact to that effect.

(3) Certifications — SINAURA periodically verifies and documents the GDPR compliance of sub-processors, including through their respective public certifications and sub-processing agreements.

(3-bis) AWS sub-sub-processors monitoring. SINAURA shall actively monitor the relevant provider notices and shall notify the Customer of additions or replacements that materially affect the location or nature of processing of Customer Data, with at least 30 days' prior notice where feasible.

§6 · AI PROCESSING RESTRICTIONS AND EU AI ACT ALLOCATION

Given the AgenticAI nature of the platform and the evolving EU regulatory framework (EU AI Act, Reg. 2024/1689), SINAURA undertakes the following binding commitments.

(1) No training of generalist models — Customer personal data and content shall never be used to train, validate or re-fine-tune generalist AI models, pre-trained foundation models, or models intended for customers other than the Customer.

(2) Zero data retention with external LLM providers — Calls to LLM providers (Anthropic, OpenAI, Mistral and similar, where used) take place via endpoints configured with "no training" and "zero retention" flags active, in accordance with dedicated DPAs signed with each provider.

(3) RAG and embeddings — Embeddings derived from Customer documents are stored within the Customer's tenant workspace, segregated from other tenants, encrypted at-rest, and deleted under the T0–T15–T30 procedure upon termination.

(4) Automated decision-making. AriaPLT™ is designed to operate with human-in-the-loop oversight and to function as a decision-support tool. Whether any specific use case integrating AriaPLT™ outputs qualifies as a "decision based solely on automated processing, including profiling, which produces legal effects [...] or similarly significantly affects" a data subject under Art. 22(1) GDPR depends on the configuration and deployment by the Customer. The Customer is responsible for assessing applicability of Art. 22 GDPR to its own workflows and for implementing the safeguards required by Art. 22(3) GDPR (right to obtain human intervention, to express one's point of view, and to contest the decision), with reference also to CJEU Case C-203/22 Dun & Bradstreet (7 December 2023).

(5) Per-Customer agent specialization — opt-in. SINAURA shall train and specialize the Customer's own Agents on the Customer's own Inputs, Outputs, Customer Data and feedback only where the Customer has expressly opted in through the administration console or through the Order Form. Such training shall in any case: (i) take place exclusively within the Customer's isolated tenant workspace; (ii) produce no carry-over to Agents serving any other customer; (iii) be documented in the Customer's records of processing activities; (iv) be subject to a DPIA where Art. 35 GDPR is triggered. Per-Customer specialization is the only form of training performed on Customer Data and is further detailed in the Privacy Policy and in §4.5 of the MSA.

(6) Anonymisation for service improvement — For service improvement purposes, SINAURA may process aggregated statistics and irreversibly anonymised data, in compliance with EDPB Guidelines 04/2024.

(7) Customer transparency duties under Art. 50 AI Act — Where the Customer integrates Outputs into systems, products or services made available to natural persons, the Customer is responsible for the transparency and labelling duties imposed by Art. 50 of the EU AI Act. SINAURA provides technical means (digital signatures and metadata on outputs) to support such labelling.

(8) AI Act allocation of roles. With respect to Regulation (EU) 2024/1689 (the "AI Act"):

(a) SINAURA acts as provider of the AriaPLT™ general-purpose AI orchestration layer to the extent it places that layer on the market under its own name, and assumes the corresponding obligations under Arts. 9–17 AI Act applicable to its risk classification.

(b) The Customer acts as deployer of AriaPLT™ in its own operational environment and assumes the corresponding obligations under Art. 26 AI Act, including, where applicable, the Fundamental Rights Impact Assessment under Art. 27 AI Act.

(c) DPIA / FRIA cooperation. SINAURA shall provide the Customer, in accordance with Art. 26(9) AI Act, the information necessary for the Customer to carry out a DPIA under Art. 35 GDPR and, where applicable, a FRIA under Art. 27 AI Act. SINAURA shall, where requested, adopt the EDPB DPIA Template (in the version applicable from time to time) for joint DPIA exercises.

(d) High-risk classification. Should AriaPLT™ be classified, in whole or in part, as a high-risk AI system under Annex III AI Act based on the Customer's deployment, the Parties shall in good faith negotiate an AI Act Addendum reflecting the additional obligations of provider and deployer, no later than ninety (90) days before the applicable compliance date.

§7 · LIABILITY AND FINAL PROVISIONS

(1) Liability for breach of this DPA. Subject to the mandatory provisions of the GDPR and other applicable EU and Italian law, the financial liability of the Parties for breach of this DPA is governed by the limitation-of-liability provisions of the MSA / ToS, save that:

(a) No limitation of liability shall apply to: (i) rights of data subjects under Art. 82 GDPR; (ii) administrative fines imposed by supervisory authorities directly on the responsible Party; (iii) wilful misconduct or gross negligence; (iv) breach of confidentiality obligations under §3.2; (v) breach of the prohibition to train generalist AI models on Customer Data under §6(1); (vi) unauthorised onward transfers in violation of §4.

(b) Enhanced liability cap for data protection breaches. Where SINAURA is in breach of this DPA and such breach results in liability of the Customer towards data subjects under Art. 82 GDPR or in an administrative fine imposed on the Customer, the aggregate liability cap applicable under the MSA shall be increased to two (2) times the cap otherwise applicable, without prejudice to (a) above.

(2) Recourse. Where one Party has paid full compensation under Art. 82(4) GDPR, it shall be entitled to claim back from the other Party that part of the compensation corresponding to that other Party's responsibility under Art. 82(5) GDPR.

(3) Insurance. SINAURA shall maintain, throughout the term of the Agreement, a professional civil liability and cyber insurance policy with a primary insurer with reasonable financial standing, covering at minimum (i) liability arising from data protection breaches, (ii) costs of incident response and notification, (iii) defence costs. SINAURA shall provide a certificate of insurance upon Customer written request.

(4) Governing law and jurisdiction. This DPA is governed by Italian law, supplemented by the relevant European Union law. Jurisdiction is determined according to Art. 17 of the ToS (multi-region governing law and jurisdiction). Save for mandatory jurisdiction rules, where the Customer is headquartered in the EMEA region or Rest of World, the Court of Milan shall have exclusive jurisdiction.

(5) Amendments. Amendments to this DPA require written form (including in electronic form pursuant to Art. 28(9) GDPR). SINAURA may update Annex 1 (TOMs) and Annex 3 (Sub-processors) according to the procedures described in those Annexes (30 days' notice).

(6) Order of precedence — In case of conflict between this DPA and other documents constituting the Agreement, this DPA prevails to the extent the conflict concerns the processing of personal data, in accordance with Art. 19 of the ToS and §11.10 of the MSA.

Annex 1 · TECHNICAL AND ORGANISATIONAL MEASURES (ART. 32 GDPR)

Measures adopted by SINAURA pursuant to Art. 32 GDPR, following the scheme A) Confidentiality — B) Integrity — C) Availability — D) Procedures.

A — Confidentiality

Entry control — Processing facilities are operated by AWS (eu-central-1 data centres, Germany). Physical controls are implemented by the cloud sub-processor and attested by its independent certifications.

  • Data-centre access control (AWS)
  • Video surveillance and intrusion detection
  • 24/7 security personnel at data centres

Access control

  • Strong authentication: SSO SAML/OIDC with mandatory MFA for administrative accounts
  • Password policy with complexity requirements and rotation; bcrypt / argon2 hashing
  • Automatic locking of inactive sessions
  • Encryption of storage media (AES-256 at-rest)
  • Granular RBAC model based on least privilege
  • Immutable logging of all access and privileged operations
  • Quarterly review of authorisations and administrator accounts
  • Formal joiner / mover / leaver procedure
  • Clear-desk / clear-screen policy
  • Secure decommissioning of media (crypto-shredding) handled by the cloud provider

Pseudonymisation — where applicable, direct identifiers are separated from product / telemetry data and stored in dedicated tables.

Data classification scheme — internal classification in 4 levels: public / internal / confidential / secret.

B — Data Integrity

  • TLS 1.3 in-transit encryption on all network communications
  • AES-256 at-rest encryption of volumes and buckets
  • Private networks (VPC) with traffic segregation
  • VPN for administrative access
  • Digital signatures on artefacts generated by agents
  • Cryptographic hashes for integrity verification of datasets and models
  • Application logging of all write / update / delete operations
  • Immutable audit trail of administrative actions
  • Document management with versioning

C — Availability and Resilience

  • Multi-AZ back-up strategy (Frankfurt eu-central-1a / 1b / 1c)
  • Daily encrypted backups, 30-day retention
  • Real-time multi-AZ replication — RPO < 24h, RTO < 4h
  • UPS and diesel generators managed by the data-centre provider
  • Antivirus and EDR on all corporate endpoints
  • Firewall and WAF protecting exposed services
  • Documented incident-response procedures, exercised semi-annually
  • Disaster Recovery plan tested at least every six months
  • 99.9% SLA on production services (see SLA)

D — Procedures for regular testing, assessing and evaluating

  • Mandatory annual GDPR and EU AI Act training for all personnel
  • AI Governance Committee with quarterly reviews
  • Data Protection Contact (SINAURA Legal Department — info@sinauragroup.com); no DPO formally designated under Art. 37 GDPR as the mandatory designation criteria are not met
  • Documented incident and data-breach procedure, with Customer notification within 24h (§3.5)
  • Threat modelling and DPIA for every new feature impacting personal data
  • Continuous vulnerability scanning (SAST / DAST / SCA)
  • Annual penetration tests by independent third parties
  • SBOM and supply-chain monitoring (Sigstore / SLSA)
  • Formal contracts with all sub-processors
  • Formalised project management with security reviews
  • Strict selection of sub-processors (ISMS-certified)
  • Periodic due diligence on suppliers
  • Documented follow-up checks

Reference framework: GDPR · NIST CSF · CIS Controls · EU AI Act · NIS2. Sub-processors' certifications (ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, C5, PCI DSS) are published by the respective providers and verifiable on their compliance pages.

Annex 2 · CATEGORIES OF PERSONAL DATA AND DATA SUBJECTS

Categories of data subjects

  • Employees and contractors of the Customer who use the platform
  • Suppliers, contractors and partners of the Customer whose data is uploaded by the Customer
  • End customers and business contacts contained in integrated ERP/CMMS documents
  • Visitors of the public website (separate Privacy Policy)

Categories of personal data

CategoryExamplesPurposeRetention
A — Account and identity dataName, business email, role, MFA data, access logsService provisionTerm of the agreement
B — Telemetry and logsProduct events, IP address, user-agent, audit trail, performance metricsSecurity and service quality12 months for logs
C — Industrial contentTechnical documents, work orders, SCADA telemetry, AI outputsAgenticAI functions and vertical RAGTerm of the agreement
D — Administrative dataInvoicing data and contractsTax and administrative obligations10 years pursuant to Art. 2220 of the Italian Civil Code
E — Marketing data (opt-in)Email address and communication preferencesNewsletters and commercial communicationsUntil withdrawal of consent

Special categories under Art. 9 GDPR (health, biometric, ethnic, religious, trade-union): not processed by the platform unless specific written agreement and prior DPIA.

Annex 3 · LIST OF AUTHORISED SUB-PROCESSORS

Updated as of 16 May 2026. Sub-processors' compliance pages are linked from sinauragroup.com/en/legal/dpa#annex-3-authorised-sub-processors.

All sub-processors operate under Data Processing Agreements compliant with Art. 28 GDPR and rely on their own public compliance certifications. Material updates are reflected through SINAURA's publication at sinauragroup.com/en/legal/dpa#annex-3-authorised-sub-processors.

Authorised sub-processors as of 16 May 2026:

Sub-processorRole / purposeData locationMain certifications / commitments
Amazon Web Services EMEA SARLHosting infrastructure, storage, compute, database and backupEU, Frankfurt (eu-central-1) across three Availability ZonesISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, C5 (BSI), PCI DSS
Vercel Inc.Hosting of the public front-end ariaplt.com for landing and marketing pages only; no Customer product dataEU, Frankfurt region pinningSOC 2 Type II, ISO 27001, GDPR commitments
Postmark / AWS SESTransactional emails such as account verification, password reset and notificationsEUSOC 2, GDPR commitments
Stripe Payments Europe LtdSubscription payment processingEU, IrelandPCI DSS Level 1, SOC 1/2, GDPR commitments
Anthropic PBCLLM inference via EU-resident endpoints with no-training and zero-retention settingsEU, subject to Customer opt-inSOC 2 Type II, dedicated DPA, no-training configuration
OpenAI Ireland LtdLLM inference via EU-resident endpoints with no-training and zero-retention settingsEU, subject to Customer opt-inSOC 2 Type II, dedicated DPA, no-training configuration
Mistral AI SASEU-native LLM inference for specific modulesEU, FranceGDPR commitments, no-training configuration

Changes to the list: notified to the Customer with at least 30 days' notice, via email to the administrative address and via update of sinauragroup.com/en/legal/dpa#annex-3-authorised-sub-processors, with right of reasoned objection.

Annex 4 · RETURN AND DELETION PROCEDURE (T0–T15–T30)

Upon termination of the MSA / ToS, SINAURA guarantees the complete deletion of Customer data within 30 calendar days.

T0 — Day 0: Closure

  • Customer confirms cancellation (in-app or via email to the Data Protection Contact)
  • Immediate suspension of access
  • Security snapshot for export
  • Notification to Data Protection Contact and operations team

T1–T15 — Export window

  • Final export in CSV / JSON / PDF format on request
  • Export API available
  • Return in the original format of receipt if requested
  • Switching support pursuant to §3.10 of this DPA (EU Data Act)

T16–T30 — Wipe

  • Deletion of accounts, embeddings, RAG vault, specialized agent configurations
  • Crypto-shredding of encrypted backups
  • Deletion certificate on request

Statutory exceptions: certain administrative and tax data (invoices, security access logs) are retained after workspace closure, exclusively in encrypted read-only archives, for the time strictly required by Italian law (e.g., 10 years for tax records under Art. 2220 Italian Civil Code).

© 2026 SINAURA S.R.L. · AriaPLT™ and Sinaura™ are registered trademarks of SINAURA S.R.L · Version 1.3 · Last updated: 16 May 2026